FunnyDream
FunnyDream is a backdoor with multiple components that was used during the FunnyDream campaign since at least 2019, primarily for execution and exfiltration.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1010 | Application Window Discovery |
FunnyDream has the ability to discover application windows via execution of |
|
| Enterprise | T1560 | .002 | Archive Collected Data: Archive via Library |
FunnyDream has compressed collected files with zLib.[1] |
| .003 | Archive Collected Data: Archive via Custom Method |
FunnyDream has compressed collected files with zLib and encrypted them using an XOR operation with the string key from the command line or |
||
| Enterprise | T1119 | Automated Collection |
FunnyDream can monitor files for changes and automatically collect them.[1] |
|
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
FunnyDream can use a Registry Run Key and the Startup folder to establish persistence.[1] |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
FunnyDream can use |
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
FunnyDream has established persistence by running |
| Enterprise | T1005 | Data from Local System |
FunnyDream can upload files from victims' machines.[1][2] |
|
| Enterprise | T1025 | Data from Removable Media |
The FunnyDream FilePakMonitor component has the ability to collect files from removable devices.[1] |
|
| Enterprise | T1001 | Data Obfuscation |
FunnyDream can send compressed and obfuscated packets to C2.[1] |
|
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
FunnyDream can stage collected information including screen captures and logged keystrokes locally.[1] |
| Enterprise | T1041 | Exfiltration Over C2 Channel |
FunnyDream can execute commands, including gathering user information, and send the results to C2.[1] |
|
| Enterprise | T1083 | File and Directory Discovery |
FunnyDream can identify files with .doc, .docx, .ppt, .pptx, .xls, .xlsx, and .pdf extensions and specific timestamps for collection.[1] |
|
| Enterprise | T1070 | Indicator Removal |
FunnyDream has the ability to clean traces of malware deployment.[1] |
|
| .004 | File Deletion |
FunnyDream can delete files including its dropper component.[1] |
||
| Enterprise | T1105 | Ingress Tool Transfer |
FunnyDream can download additional files onto a compromised host.[1] |
|
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
The FunnyDream Keyrecord component can capture keystrokes.[1] |
| Enterprise | T1559 | .001 | Inter-Process Communication: Component Object Model |
FunnyDream can use com objects identified with |
| Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
FunnyDream has used a service named |
| Enterprise | T1106 | Native API |
FunnyDream can use Native API for defense evasion, discovery, and collection.[1] |
|
| Enterprise | T1095 | Non-Application Layer Protocol |
FunnyDream can communicate with C2 over TCP and UDP.[1] |
|
| Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
FunnyDream can Base64 encode its C2 address stored in a template binary with the |
| Enterprise | T1120 | Peripheral Device Discovery |
The FunnyDream FilepakMonitor component can detect removable drive insertion.[1] |
|
| Enterprise | T1057 | Process Discovery |
FunnyDream has the ability to discover processes, including |
|
| Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection |
The FunnyDream FilepakMonitor component can inject into the Bka.exe process using the |
| Enterprise | T1572 | Protocol Tunneling |
FunnyDream can connect to HTTP proxies via TCP to create a tunnel to C2.[1] |
|
| Enterprise | T1090 | Proxy |
FunnyDream can identify and use configured proxies in a compromised network for C2 communication.[1] |
|
| Enterprise | T1012 | Query Registry |
FunnyDream can check |
|
| Enterprise | T1018 | Remote System Discovery |
FunnyDream can collect information about hosts on the victim network.[2] |
|
| Enterprise | T1113 | Screen Capture |
The FunnyDream ScreenCap component can take screenshots on a compromised host.[1] |
|
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
FunnyDream can identify the processes for Bkav antivirus.[1] |
| Enterprise | T1218 | .011 | System Binary Proxy Execution: Rundll32 |
FunnyDream can use |
| Enterprise | T1082 | System Information Discovery |
FunnyDream can enumerate all logical drives on a targeted machine.[1] |
|
| Enterprise | T1016 | System Network Configuration Discovery |
FunnyDream can parse the |
|
| Enterprise | T1033 | System Owner/User Discovery |
FunnyDream has the ability to gather user information from the targeted system using |
|
| Enterprise | T1124 | System Time Discovery |
FunnyDream can check system time to help determine when changes were made to specified files.[1] |
|
| Enterprise | T1047 | Windows Management Instrumentation |
FunnyDream can use WMI to open a Windows command shell on a remote machine.[1] |
|
Campaigns
| ID | Name | Description |
|---|---|---|
| C0007 | FunnyDream |
During the FunnyDream campaign, the FunnyDream backdoor was used to execute multiple components and exfiltrate files.[1] |